* fix(pds): ensure presence of DPoP related response headers
* Expose the request context for AuthVerifier and StreamAuthVerifier as distinct types
* Properly type ReqCtx for stream auth
* feat(api): support creation of oauth based AtpAgents
* oauth: misc fixes for confidential clients
* fix(xprc): remove ReadableStream.from polyfill
* OAuth docs tweaks (#2679)
* OAuth: clarification about client_name being shown
* OAuth: re-write handle resolution privacy concern
* avoid relying on ReadableStream.from in xrpc-server tests
* feat(oauth-types): expose "ALLOW_UNSECURE_ORIGINS" constant
* feat(handle-resolver): expose "AtprotoIdentityDidMethods" type
* fix(oauth-client): ensure that the oauth metadata document contains client_id_metadata_document_supported
* fix(oauth-types): prevent unknown query string in loopback client id
* fix(identity-resolver): check that handle is in did doc's "alsoKnownAs"
* feat(oauth-client:oauth-resolver): allow logging in using either the PDS URL or Entryway URL
* fix(oauth-client): return better error in case of invalid "oauth-protected-resource" status code
* refactor(did): group atproto specific checks in own
* feat(api): relax typing of "appLabelers" and "labelers" AtpClient properties
* allow any did as labeller (for tests mainly)
* fix(api): allow to override "atproto-proxy" on a per-request basis
* remove release candidate versions from changelog
* update changeset for api and xrpc packages
* Add missing changeset
* revert RC versions
* Proper wording in OAUTH.md api example
* remove "pre" changeset file
* xrpc: restore original behavior of setHEader and unsetHeader
* docs: add comment for XrpcClient 's constructor arg
* feat(api): expose "schemas" publicly
* feat(api): allow customizing the whatwg fetch function of the AtpAgent
* docs(api): improve migration docs
* docs: change reference to BskyAgent to AtpAgent
* docs: mention the breaking change regarding setSessionPersistHandler
* fix(api): better split AtpClient concerns
* fix(xrpc): remove unused import
* refactor(api): simplify class hierarchu by removeing AtpClient
* fix(api): mock proper method for facets detection
* restore ability to restore session asynchronously
* feat(api): allow instantiating Agent with same argument as super class
* docs(api): properly extend Agent class
* style(xrpc): var name
* docs(api): remove "async" to header getter
---------
Co-authored-by: Devin Ivy <devinivy@gmail.com>
Co-authored-by: bnewbold <bnewbold@robocracy.org>
Co-authored-by: Hailey <me@haileyok.com>
* Sketch proposal for additional muted words attributes
* Rename ttl -> expiresAt
* Feedback
* Codegen
* Refactor muted words methods to integrate new attributes
* Add changeset
* Use datetime format
* Simplify migration
* Fix tests
* Format
* Re-integrate tests
* Let the lock cook
* Fix comments
* Integrate mute words enhancements (#2643)
* Check expiry when comparing mute words
* Check actors when comparing
* Tweak lex, condegen
* Integrate new prop
* Remove fake timers
(cherry picked from commit ad31910560ce938e3ff64944d46355c64635ebf8)
* Update changeset
* Prevent deleting value when updating
* Include missing test
* Add default
* Apply default 'all' value to existing mute words to satisfy Typescript
* Fix types in tests
* Fix types on new tests
* chore(ci): update setup-node & checkout actions to v4
* refactor(oauth): rename internal types to avoid conflicting types
fix(oauth): support building from parcel
feat(oauth): add runtime lock support to prevent concurrent session updates
feat(oauth): improve metadata validation
fix(oauth): allow use of handle as login hint
fix: proper parsing of authorization header
feat(oauth): add email 2fa support
feat(oauth): adapt auth UI to match app UI
* fix(oauth): improve parsing of digest algo
* fix(oauth-provider): dead code cleanup
* fix(oauth-provider): avoid inconsistent use of "id" prop in InputCheckbox
* style(oauth-provider): use if/else instead of switch
* feat(oauth-provider): stronger validation of customization data
Invalid oauth customization would cause the server to crash at startup.
* docs(oauth-client): explain why the abortRequest method is not mandatory
* fix(oauth-client): cancel fetch response body when not used
* docs: typo
Co-authored-by: devin ivy <devinivy@gmail.com>
* feat(oauth-provider:metadata): add client_id_metadata_document_supported metadata
* fix(oauth-provider): require the content-type to be set on client metadata response
* feat(common): add obfuscation utilities
fix(pds): show user did in logs
fix(ozone): show user did in logs
* tidy
* fix(simple-store): avoid leaking context when calling hooks
* fix: use patch level changeset
* chore(oauth-types): add changeset regarding client_id_metadata_document_supported
* chore: add changeset for bsky & ozone
* unify loggerMiddleware instantiation
* tidy
---------
Co-authored-by: devin ivy <devinivy@gmail.com>
* Update lex
* Codegen
* Set up StatSig
* Integrate new implementation into old endpoint
* Add todo to crypto module
* Format
* Specify StatSig env
* Downgrade pnpm to match CI, bump lock
* Catch StatSig errors
* Use sep env
* Reset lockfile
* Re-add new dep using correct pnpm version
* tidy
* Integrate into AppContext and lifecycle
* Use camelCase
* Switcheroo
Co-authored-by: devin ivy <devinivy@gmail.com>
* Init prior to server listen start
* Move test env check up to server config
* Add logger and log
* Better comment
---------
Co-authored-by: devin ivy <devinivy@gmail.com>
